AWS User Login Profile Update by Different User
A user updating the login profile of another user in AWS CloudTrail logs may indicate privilege escalation attempts.
This activity monitors AWS CloudTrail logs for instances where a user updates the login profile of another user. The detection identifies UpdateLoginProfile events where the user making the change (userIdentity.userName) differs from the user whose profile is being updated (requestParameters.userName). This is critical for defenders because it might signify malicious activity, such as privilege escalation. Attackers might attempt to use compromised or lower-privilege accounts to modify the login profiles of higher-privilege accounts, potentially leading to unauthorized access and control within the AWS environment. This activity is detectable in AWS CloudTrail logs and requires the AWS add-on for Splunk.
Attack Chain
- An attacker gains initial access to an AWS account, possibly through credential compromise or other means.
- The attacker identifies a target user account with higher privileges or valuable access rights.
- The attacker uses the compromised account to execute the "UpdateLoginProfile" AWS API call.
- In the UpdateLoginProfile request, the attacker specifies the target user's username (requestParameters.userName) but uses the compromised account's credentials (userIdentity.userName).
- The AWS CloudTrail logs record the UpdateLoginProfile event, capturing the discrepancy between the user making the request and the user whose profile is being modified.
- Successful modification of the login profile allows the attacker to reset passwords, change MFA settings, or otherwise control the target user's account.
- The attacker leverages the now-compromised higher-privilege account to access sensitive data or resources.
Impact
A successful attack can lead to privilege escalation, where an attacker gains unauthorized access and control over critical AWS resources. This could result in data breaches, service disruption, or financial loss. The exact impact depends on the privileges associated with the compromised target account. Organizations using AWS are vulnerable if their IAM policies are not correctly configured or if user accounts are compromised.
Recommendation
- Deploy the Sigma rule
AWS Login Profile Update by Different Userto your SIEM and tune for your environment to detect suspicious UpdateLoginProfile events. - Investigate any alerts generated by the
AWS Login Profile Update by Different UserSigma rule, focusing on the user accounts involved and the source of the API call. - Review IAM policies to ensure least privilege and restrict the ability of users to modify other users' login profiles.
- Monitor AWS CloudTrail logs for any unusual or unauthorized API calls related to IAM or user management.
Detection coverage 2
AWS Login Profile Update by Different User
mediumDetects when a user updates the login profile of another user in AWS, potentially indicating privilege escalation.
AWS UpdateLoginProfile Outside Console
lowDetects UpdateLoginProfile events that don't originate from the AWS console, which may indicate programmatic or malicious activity.
Detection queries are available on the platform. Get full rules →